A blog about Cyber Security & Compliance

Month

July 2015

Is your organisation equipped to deal with potential financial and reputational damage following an attack?

Has your organisation established an incident management plan that covers data breaches? Recent evidence shows that organisations are ill-equipped to deal with an attack.

Australian bulk deals website, Catch of the Day, suffered a security breach in 2011, with passwords and other user information stolen from the company’s databases. It took until 2014 to notify customers, suggesting there was no response plan in place.

The backlash was very severe for global retail giant, Target, which fell victim to the second largest credit card heist in history. Many customers were outraged about the retailer’s inability to provide information after the breach, and its failure to assure customers that the issue was resolved.

Consequences included settlement payouts of up to $10 million and the resignations of its CIO and CEO.

Organisations should have established and tested incident management plans to respond to data security breaches sooner rather than later. A solid response plan and adherence to these steps can spare much unnecessary business and associated reputational harm.

Here’s a five step plan to ensure you give your organisation the best chance of minimising financial and reputational damage following an attack.

Step 1: Don’t panic, assemble a taskforce

Clear thinking and swift action is required to mitigate the damage. There is no time for blame-shifting. You need a clear, pre-determined response protocol in place to help people focus in what can be a high pressure situation and your incident management plan should follow this protocol.

Having the right team on the job is critical. Bear these factors in mind when assembling your team: Appoint one leader who will have overall responsibility for responding to the breach. Obvious choices are your CIO or chief risk officer. This leader should have a direct reporting line into top level management so decisions can be made quickly.

Include representatives from all relevant areas, including IT, to trace and deal with any technical flaws that led to the breach; and corporate affairs, in case liaison with authorities is required, to manage media and customer communications.

Don’t forget privacy (you do have a chief privacy officer, don’t you?) and legal, to deal with regulators and advise on potential exposure to liability).

If you anticipate that litigation could result from the breach, then it may be appropriate for the detailed internal investigation of the breach to be managed by the legal team. If your organisation doesn’t have these capabilities, seek assistance from third parties at an early stage.

Step 2: Containment

The taskforce should first identify the cause of the breach and ensure that it is contained. Steps may include:

Installing patches to resolve viruses and technology flaws. The ‘Heartbleed’ security bug identified in April 2014 at one time compromised 17 per cent of internet servers. Although a security patch was made available almost immediately once it was discovered, some administrators were slow to react, leaving servers exposed for longer than necessary.

Resetting passwords for user accounts that may have been compromised and advising users to change other accounts on which they use the same password.

Disabling network access for computers known to be infected by viruses or other malware (so they can be quarantined) and blocking the accounts of users that may have been involved in wrongdoing.

Taking steps to recall or delete information such as recalling emails, asking unintended recipients to destroy copies or disabling links that have been mistakenly posted. Take care to ensure that steps taken to contain the breach don’t inadvertently compromise the integrity of any investigation.

Step 3: Assess the extent and severity of the breach

The results will dictate the subsequent steps of your response. A thorough assessment involves:

Identifying who and what has been affected. If it’s not possible to tell exactly what data has been compromised, it may be wise to take a conservative approach to estimation.

Assessing how the data could be used against the victims. If the data contains information that could be used for identity theft or other criminal activity (such as names, dates of birth and credit card numbers) or that could be sensitive (such as medical records), the breach should be treated as more severe. If the data has been encrypted or anonymised, there is a lower risk of harm.

Considering the context of the breach. If there has been a deliberate hacking, rather than an inadvertent breach of security, then the consequences for the relevant individuals or organisations could be much more significant. This should inform how you respond to the breach.

Step 4: Notification

For serious data security breaches, proactive notification is generally the right strategy. A mandatory notification scheme has been proposed in Australia, with the government promising implementation by the end of 2015.

In any case, there are good reasons to consider voluntary notifications, which include:

Victims may be able to protect themselves, for example by changing passwords, cancelling credit cards and monitoring bank statements.

E-Bay was roundly criticised in 2014 for not acting quickly enough to notify users affected by a hacking attack, and only doing so by means of a website notice rather than by sending individual messages. Notices should be practical, suggesting steps that recipients can take to protect themselves.

The Privacy Commissioner may also be involved, particularly if personal information has been stolen. The Commissioner may take a more lenient approach to organisations that proactively address problems when they arise.

Other third parties may also need to be notified. For example, if financial information is compromised, you might notify relevant financial institutions so that they can watch for suspicious transactions.

Step 5: Action to prevent future breaches

Having addressed the immediate threat, prevention is the final step. While customers may understand an isolated failure, they are typically less forgiving of repeated mistakes. Carry out a thorough post-breach audit to determine whether your security practices can be improved.

This could include:

Engaging a data security consultant, which will give you a fresh perspective on your existing practices, and help to reassure customers and others that you do business with.

Rolling out training to relevant personnel to ensure that everyone is up to speed on the latest practices.

Reviewing arrangements with service providers to ensure that they are subject to appropriate data security obligations (and, if not already the case, make data security compliance a key criterion applied in the procurement process).

Written by Cheng Lim is a partner at global law firm King & Wood Mallesons. Cheng leads KWM’s Cyber-Resilience initiative and has assisted clients over many years in dealing with privacy, data security and data breaches. Originally produced for CIO Australia.

Like this:

Skyhigh Networks has released the industry’s first Office 365 Cloud Adoption and Risk Report. The report analyses use of Office 365 across more than 21 million employees and found that over 87.3% of enterprises have adopted Microsoft cloud-based services including Word, Excel, PowerPoint, Exchange Online, OneDrive and SharePoint Online.

The new Office for Windows 10 universal apps require an Office 365 subscription, which should drive massive adoption of OneDrive and SharePoint Online. The Skyhigh Office 365 Cloud Adoption and Risk Report highlights that Office 365 has already established a foothold in a majority of enterprises and provides a benchmark for future growth.

Office 365 Landscape in the Enterprise

87.3% of organizations have at least 100 employees using Office 365

93.2% of employees are still using Microsoft on-premise solutions.

This finding suggests that while Office 365 has tremendous traction in enterprises, it is in the early innings and there is a massive opportunity ahead to transition all employees to Office 365.

Office 365 Landscape between Enterprises

The average large organization collaborates with 72 business partners on Office 365. Top industries collaborating with partners via Office 365 are high-tech, manufacturing, energy, financial services and business services, respectively. This makes Office 365 one of the top “collaboration” services connecting businesses to each other.

Office 365 Houses Valuable Data

1.37 terabytes of data are uploaded to Office 365 each month by the average organization, equivalent to approximately 1 billion Word documents.

17.4% of documents in Office 365 contain sensitive data

4.2% of the sensitive data stored in Office 365 was classified as personally identifiable information (PII) such as social security numbers, phone numbers and home addresses

2.2% of the sensitive data was protected health information

1.8% was payment data including credit card and bank account numbers

9.2%, corporate data such as financial statements, business plans and source code makes up the largest percentage of sensitive data stored in Office 365.

Perhaps the most shocking of the report’s findings was that enterprises have an average of 143 files in Office 365 with “password” in the filename.

Increasing Need for Cloud Security

While Microsoft offers security for its cloud-based services, many enterprises require an additional layer of protection for corporate data in Office 365.

It’s important to strike a balance between what tools and services you provide your employees and what security controls to have around those services to track data and manage confidential information,” said Tim Topkins, Senior Director of Security Innovation at Aetna. “Companies should look for solutions that make the secure path the easy path. A frictionless approach to visibility, compliance, data security and threat detection on top of a service in demand like Office 365 creates a secure and productive workforce

Like this:

Many organizations approach a PCI audit with fear and trepidation. There are a lot of stories out there about how difficult, expensive and disruptive a PCI audit can be, but I want to see if I can add some balance to this view. I believe that when it comes to a PCI auditor it matters a great deal who you are working with. We just completed a PCI audit of our Alliance Key Manager for VMware solution and it gave me a whole new perspective and attitude about the audit process. Our PCI work was conducted by Coalfire, a security company that provides PCI audit services as well as audit services for the health and financial communities. Most of my remarks will reflect on the great experience we had with Coalfire and some of the lessons we learned.

As is true of financial auditors, the QSA auditor has a duty to accurately assess the security of your IT systems to insure that they meet or exceed the PCI Data Security Standards (PCI DSS) as outlined by the PCI Security Standards Council (PCI SSC). They have a professional responsibility to tell you where you meet the PCI DSS standard, and where you fall short. That “falling short” part is the thing most people dread hearing about.

I would suggest that this is exactly where a good security audit can be very helpful. We need to know where our security is weak, and we need to know how to fix the problems. A good QSA auditor will be more than a gatekeeper for the PCI security standards – they will be a trusted advisor on how to get things right from a security perspective. That practical advice is exactly what we need to protect our sensitive data.

Finding problems and fixing them is less expensive than suffering a data breach and then scrambling to fix the problems.

Another often overlooked benefit of having a good QSA auditor is that you get a get a trusted advisor in the process. It is one thing to have an auditor point out the faults in your security strategy, it is another to find an auditor who can advise you on the security strategies and potential solutions that can help you. While there must be an arms-length relationship between an auditor and a solution provider, your QSA auditor should be able to point you to a number of solutions that can help you mitigate security weaknesses. An experienced auditor is going to help you navigate towards a good solution.

It is hard to quantify the benefit of this type of guidance, but I personally think it is invaluable.

The take-away is that you should set high expectations for the relationship you develop with your QSA auditor. You can walk away from the experience with checks in boxes, or you can meet PCI compliance AND achieve a credible security strategy and trusted advisor. I found the latter in my relationship with Coalfire.

Like this:

Police forces like all other organisations must comply with the Data Protection Act. The police especially must ensure that they have legitimate grounds for processing personal data and disclosing images of this nature without a justifiable policing purpose could potentially breach the Data Protection Act. We will follow this up with the Force concerned

I have often wondered about the sharing of images and how in certain circumstances it could lead to the wrong person or a known person being identified e.g. a photo-fit image created by a Police Artist often looks like everyone’s next door neighbour.

Equally if a person in the public spot light cannot have their image shared by a public body then how can a media outlet, who is also governed by the Data Protection Act, show images that people do not want sharing.

It will be interesting to see what the outcome will be and if Michael McIntyre complains.

Like this:

According to a report commissioned by the Metals Service Center Institute (MSCI), cyber security poses complicated threats for metals companies.

The report was compiled by graduate students at the Boeing Center for Technology, Information & Management (BCTIM) at the Olin School of Business at Washington University in St. Louis.

Other research has shown that cybercrimes are growing more common, more costly, and taking longer to resolve. According to the findings of the fifth annual Cost of Cyber Crime Study conducted by the respected Ponemon Institute the 2014 global study of U.S.-based companies found:

The average cost of cybercrime climbed by more than 9% to $12.7 million for companies in the United States, up from 11.6 million in the 2013 study

The average time to resolve a cyber-attack is also rising, climbing to 45 days, up from 32 days in 2013

With data breaches happening frequently, our members and all companies must be concerned about the safety of their data and honestly ask themselves if they are as well protected as they think they are,” said M. Robert Weidner, III, MSCI president and CEO. “The potential damage to the company is compounded by how long it would take to be up and running again and at what cost and the cost of lost revenue

These concerns and questions prompted MSCI to ask BCTIM to research the cyber security threat, specifically as it relates to the metals industry.

From the report, three key lessons for executives concerned or dealing with cyber security emerged:

Cyber security efforts require C-suite support. Executives must be directly involved in the management of their company’s cyber risk, creating and implementing the processes and policies necessary. Little happens in this arena without the top executive pushing for and supporting change.

The biggest risk to any size company is internal. Employees have access to critical information. That fact, coupled with a lack of proper cyber security policies, procedures and processes leads to vulnerabilities. An example: Most employees are not trained to detect email and phishing scams (the U.S. Steel and Alcoa breaches a few years ago were prompted by phishing scams).

If a company is unsure about reducing their cyber security risk, the policies and procedures necessary and the next steps to take, they should get help from a specialized third part with the necessary expertise.

Like this:

The threat of cyber attack reaches every part of modern society, and insurance could have an important role to play in helping organisations to manage their cyber risk exposure.

However, there is a significant level of uncertainty attached to the impact of severe events. Lloyd’s of London has published a research report that aims to contribute to the knowledge base required to develop the next generation of insurance solutions for the digital age.

The research estimates the economic and insurance impacts of a severe, yet plausible, cyber attack against the US power grid. While the analysis focuses on the USA, we believe that it provides a framework for thinking about severe cyber attacks anywhere in the world. The key findings of the report are:

The attackers are able to inflict physical damage on 50 generators which supply power to the electrical grid in the Northeastern USA, including New York City and Washington DC.

While the attack is relatively limited in scope (nearly 700 generators supply electricity across the region) it triggers a wider blackout which leaves 93 million people without power.

The total impact to the US economy is estimated at $243bn, rising to more than $1trn in the most extreme version of the scenario.

Insurance claims arise in over 30 lines of insurance. The total insured losses are estimated at $21.4bn, rising to $71.1bn in the most extreme version of the scenario.

A key requirement for an insurance response to cyber risks will be to enhance the quality of data available and to continue the development of probabilistic modelling.

The sharing of cyber attack data is a complex issue, but it could be an important element for enabling the insurance solutions required for this key emerging risk.

Like this:

The ‘EU28 Cloud Security Conference: “Reaching the Cloud Era in the European Union” brought to the foreground the current cloud landscape. The aim of the conference was to bring together practitioners, academics and policy makers to discuss the level of cloud computing security in the context of current and future policy activities. The conference included presentations and panel debates on legal and compliance issues, technical advancements, privacy and personal data protection, critical information infrastructures and cloud certification.

During the conference the important role of cloud computing was acknowledged for the development of the digital economy in Europe. Cloud computing is becoming essential for users, including individual consumers, businesses and public sector organisations. However, recent figures indicate that users’ concerns on cloud security are still the main barrier to the adoption of cloud services in Europe.

Key conclusions highlight that:

There is a need to raise awareness and educate users and SMEs on cloud security, to encourage safe and responsible use of cloud services. “Informed customers” should be able to ask the right questions to providers and understand where their responsibilities lay, and SMEs understand that they are co-responsible for the security of the cloud services provided. A risk assessment culture should be nourished applicable to all. Transparency of cloud services must be improved by the implementation of continuous monitoring mechanisms, increasing accountability through evidence-based assurance solutions, and certification, keeping in mind that one size does not fit all. Rapid, context-based information sharing of incidents within the industry sectors, will also enable collaborative information security able to respond quickly to the changing cybersecurity landscape.

There is a need for flexible policy approaches towards cloud security to allow further technological advancements. Within this framework co-regulatory and self-regulatory initiatives should be supported, and create technology-neutral legal guidelines and obligations based on principles, to allow for flexible solutions. Europe-wide solutions should be encouraged.

Data protection is an important element to be considered. Implementation of existing rules and techniques should be encouraged and this information should be shared.

Governmental clouds bring benefits to cloud security. There is space to strengthen cooperation and define clear procurement guidelines built on cooperation between industry and public sector. Furthermore, customised solutions based on the needs of each country and sharing of best practices can be encouraged.

Cloud benefits from an open market. Meanwhile discussions are required on security in relation to data location requirements, foreign jurisdiction and access to European data.

As cloud usage for critical sectors is increasing there is a need for elaborated security measures and specific risk assessment techniques addressing each critical sector’s needs.

Furthermore, cloud security was discussed in relation to the recent regulatory and policy initiatives, such as the ongoing data protection reform, the proposal for a Network and Information Security directive, cloud computing communication and the Digital Single Market strategy. There was consensus that further policy actions on cloud security could support trust and confidence in cloud services by addressing the key findings and issues deriving from the conference.

Like this:

Risk managers identify technology, supply chain and regulatory as the “big three” risks currently causing their organisations the greatest concern, according to a survey of 500 companies in Europe, the Middle East and Africa conducted for global insurer ACE’s Emerging Risks Barometer 2015. People risk sits just outside the top-three, while geopolitical risk completes the top-five emerging risk categories.

Technologyrisk

Technology plays a role in almost every business’s strategic planning, whether in the development of new services or products or as an enabler of operational effectiveness. When it comes to technology risk management, however, our research suggests that companies may not be focusing on the right areas, due to a lack of knowledge about the most likely sources of threat.

Which of the following risk categories are currently causing you greatest concern as a business?

43% Technology risk (including cyber security)

31% Supply chain, finance and logistics risk

27% Regulatory and compliance risk

26% People risk (including risks to people such as personal accidents and disease, risks caused by people such as fraud and labour disputes, and talent risks)

15% Environmental liability risk (such as pollution or failure to understand/comply with local regulation)

15% Natural catastrophe risk

14% Terrorism and political violence risk

Supply chainrisk

As in our 2013 Barometer, supply chain risk remains a major concern. As companies expand into new markets using ever more complex networks of suppliers and partners the supply chain is at once an enabler of growth and a key source of risk.

In recent years, we have seen major disruptions to supply chains, caused by events such as Hurricane Sandy which prompted the most extreme fuel shortages since the 1970s and 2014’s widespread flooding in India and Pakistan, which caused US$12 billion in losses. After responding admirably to these and other catastrophes, risk managers say they have achieved a better handle on business interruption risk.

Today, businesses are better prepared and therefore less concerned about interruption caused by natural disasters. Instead, they are focusing more on issues that can harm their corporate reputations. Our respondents rank unethical labour practices as their biggest supply chain worry. Yet 61% admit they cannot always vouch for the ethical and trading standards of every company in their supply chain.

EMERGING RISKS BAROMETER 2015

Which of the following risks currently consume the most time and resources in your organisation?

Technology risk

47%

Supply chain, finance and logistics risk

32%

Regulatory and compliance risk

29%

People risk

28%

Geopolitical risk

25%

Reputational risk

23%

Managementliabilityrisk(includingdirectors& officers liability)

14%

Environmental liability risk

12%

Terrorism and political violence risk

12%

Natural catastrophe risk

11%

(Don’t know / Not applicable: 2%)

Regulatory and compliance risk

27% of respondents say regulatory and compliance risk is among their greatest concerns. The category also comes third in the list of risks with the potential to cause significant financial impact over the next two years, cited by 27% of respondents, and third in the list of risks consuming the most time and resources (29%).

Which of these risk categories do you expect will have the most significant financial impact on your business in the next two years?

Technology risk

47%

Supply chain, finance and logistics risk

31%

Regulatory and compliance risk

27%

Geopolitical risk

26%

People risk

25%

Reputational risk

22%%

Management liabilityrisk

17%

Natural catastrophe risk

11%

Terrorism and political violence risk

11%

Environmental liability risk

10%

(Don’t know / Not applicable: 2%)

While highly regulated sectors such as financial services and energy face the most extreme regulatory challenges, no company is immune. As businesses pursue growth on a global scale, they face a patchwork of regulatory regimes, across markets and jurisdictions.

Other risk to watch

The rise of people risk

People risk only narrowly missed out on a place in our Big Three Risks. over a quarter (26%) say this risk, including risks to people, risks caused by people and talent risks is among their greatest concerns.

34% say their greatest concern in relation to people risk is time lost to labour disputes. In recent years, we have seen substantial labour action in the UK and Germany as well as in supplier nations such as China. At the same time 75% of respondents say recent global events, such as political unrest in Ukraine and the Middle East are causing them to review their travel and security policies.

Geopolitical risk to grow in importance?

Regime change, asset confiscation, protectionism and other geopolitical risks also pose a real threat for business. Respondents today are largely confident in their ability to manage this risk, but only 30% say they are very confident. As a quarter (26%) also believe geopolitical risk will have a significant financial impact over the next two years, we could expect the risk to appear higher in the future, especially as companies continue to expand overseas.

Respondents are primarily concerned about foreign governments cancelling operating licences, concessions or contracts. The majority (68%) believe foreign governments are already making it more difficult for them to plan ahead.

Like this:

Christopher Graham points to the strengthening of his regulatory powers to show how the legislation continues to develop. In the past year, the ICO was given powers to compulsorily audit NHS bodies for their data handling, while forcing a potential employee to make a subject access request for, for example, their spent criminal record was also made an offence. A law change also made it easier to issue fines to companies behind nuisance calls and texts.

Information Commissioner Christopher Graham said:
“It’s thirty years since this office was established in Wilmslow. We’ve seen real developments in the laws we regulate during that time, particularly over the past year. Just look at the EU Court of Justice ruling on Google search results, a case that could never have been envisaged when the data protection law was established.

“Our role throughout has been to be the responsible regulator of these laws. More than that, we work to demystify some of this legislation, making clear that data protection isn’t to be seen as a hassle or a duck-out, but a fundamental right.

“A good example of that is our role in the new data protection package being developed in Brussels. We’ve been asked for our advice, based on our experience regulating the existing law, while we’ve also provided a sensible commentary on proceedings for interested observers.

“That role will continue this year, in what promises to be a crucial twelve months. The reform is overdue, but it is vital that we get the detail right on a piece of legislation that needs to work in practice and to last.”

“It is striking to see how decisions that were so hard fought in the early years have resulted in routine publication of information. Publication of safety standards of different models of cars, for example; or hygiene standards in pubs and restaurants; and surgical performance records of hospital consultants. Publication is now expected and unexceptionable.

“It’s been the ICO’s job to help public authorities to comply with requests,” Mr Graham will say. “The ICO’s role has led to information being released that time and time again has delivered real benefits for the UK.”

“Our Annual Report is our claim to be listened to in the debates around information rights. It shows the ICO knows what it is talking about.”

The ICO annual report reflects on the financial year 2014/15. Key stats include:

14,268 – data protection concerns received

£1,078,500 – total CMPs issued, £386,000 of which were for companies behind nuisance calls or texts

195,431 – helpline calls answered

11.4% – rise in number of concerns raised about nuisance calls and texts (to 180,188)